redhat-developer · Gerry-Forde · Nov 13, 2024 · Nov 6, 2024 · Nov 6, 2024 · Nov 7, 2024
diff --git a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc
@@ -23,6 +23,11 @@ Save the value for the next step:
 * **Client ID**
 * **Client Secret**
 
+.. Configure your {rhsso} realm for performance and security:
+... Navigate to the **Configure** > **Realm Settings**.
+... Set the **Access Token Lifespan** to a value greater than five minutes (preferably 10 or 15 minutes) to prevent performance issues from frequent refresh token requests for every API call.
+... Enable the **Revoke Refresh Token** option to improve security by enabling the refresh token rotation strategy.
+
 .. To prepare for the verification steps, in the same realm, get the credential information for an existing user or link:https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.6/html-single/getting_started_guide/index#create-user_[create a user]. Save the user credential information for the verification steps.
 
 . To add your {rhsso} credentials to your {product-short} secrets, edit your {product-short} secrets, such as `secrets-rhdh`, and add the following key/value pairs:
@@ -163,6 +168,18 @@ auth:
 ----
 --
 
+`auth.backstageTokenExpiration`::
+--
+To modify the {product-short} token expiration from its default value of one hour, note that this refers to the validity of short-term cryptographic tokens, not the session duration. The expiration value must be set between 10 minutes and 24 hours.
+
+.`app-config-rhdh.yaml` fragment with optional `auth.backstageTokenExpiration` field
+[source,yaml,subs="+quotes"]
+----
+auth:
+  backstageTokenExpiration: { minutes: _<user_defined_value>_ }
+----
+--
+
 --
 
 .Verification